Web Security

1
Web Security

• Adam C. Champion and Dong Xuan
• CSE 4471 Information Security

2
Outline

• Web Basics
• Web Threats and Attacks
• Countermeasures

3
Introduction

• Average user spends 16 h/month online (32 h/month
  in U.S.) 1
• People spend much time interacting with Web, Web
  applications (apps)
• Their (lack of) security has major impact
• Interaction via Web browser
• Well first review some Web basics

?
?
Source 2, 3
4
The Web

• Web page
• Consists of objects
• Addressed by a URL
• Most Web pages consist of
• Base HTML page, and
• Several referenced objects.
• URL has two components host name and path name

• User agent for Web is called a browser
• MS Internet Explorer
• Netscape Communicator
• Server for Web is called Web server
• Apache (public domain)
• MS Internet Information Server

5
The Web the HTTP Protocol

• HTTP HyperText Transfer Protocol
• Webs application layer protocol
• Client/server model
• Client browser that requests, receives,
  displays Web objects
• Server Web server sends objects in response to
  requests
• HTTP 1.0 RFC 1945
• HTTP 1.1 RFC 2068

HTTP request
PC running Explorer
HTTP response
HTTP request
Server running NCSA Web server
HTTP response
Mac running Navigator
6
The HTTP Protocol (more)

• HTTP TCP transport service
• Client initiates TCP connection (creates socket)
  to server, port 80
• Server accepts TCP connection from client
• HTTP messages (application-layer protocol
  messages) exchanged between browser (HTTP client)
  and Web server (HTTP server)
• TCP connection closed

• HTTP is stateless
• Server maintains no information about past client
  requests

aside

• Protocols that maintain state are complex!
• Past history (state) must be maintained
• If server/client crashes, their views of state
  may be inconsistent, must be reconciled

7
HTTP Example

• Suppose user enters URL http//www.someschool.edu/
  aDepartment/index.html

(contains text, references to 10 JPEG images)

• 1a. HTTP client initiates TCP connection to http
  server (process) at www.someschool.edu. Port 80
  is default for HTTP server.

1b. HTTP server at host www.someschool.edu
waiting for TCP connection at port 80. Accepts
connection, notifies client
2. HTTP client sends http request message
(containing URL) into TCP connection socket
3. HTTP server receives request message, forms
response message containing requested object
(aDepartment/index.html), sends message into
socket
time
8
HTTP Example (Cont.)
4. HTTP server closes TCP connection.

• 5. HTTP client receives response message
  containing HTML file, displays HTML. Parsing HTML
  file, finds 10 referenced JPEG objects

time
6. Steps 1-5 repeated for each of 10 JPEG objects
9
Non-Persistent and Persistent Connections

• Non-persistent
• HTTP/1.0
• Server parses request, responds, and closes TCP
  connection
• 2 RTTs to fetch each object
• Each object transfer suffers from slow start

• Persistent
• Default for HTTP/1.1
• On same TCP connection server, parses request,
  responds, parses new request,
• Client sends requests for all referenced objects
  as soon as it receives base HTML.
• Fewer RTTs and less slow start.

But most browsers use parallel TCP connections.
10
HTTP Message Format Request

• Two types of HTTP messages request, response
• HTTP request message
• ASCII (human-readable format)

request line (GET, POST, HEAD commands)
GET /somedir/page.html HTTP/1.0 User-agent
Mozilla/4.0 Accept text/html,
image/gif,image/jpeg Accept-languagefr (extra
carriage return, line feed)
header lines
Carriage return, line feed indicates end of
message
11
HTTP Request Message General Format
12
HTTP Message Format Response
status line (protocol status code status phrase)
HTTP/1.0 200 OK Date Thu, 06 Aug 1998 120015
GMT Server Apache/1.3.0 (Unix) Last-Modified
Mon, 22 Jun 1998 ... Content-Length 6821
Content-Type text/html data data data data
data ...
header lines
data, e.g., requested html file
13
HTTP Response Status Codes
In first line in server?client response
message. A few sample codes

• 200 OK
• request succeeded, requested object later in this
  message
• 301 Moved Permanently
• requested object moved, new location specified
  later in this message (Location)
• 400 Bad Request
• request message not understood by server
• 404 Not Found
• requested document not found on this server
• 505 HTTP Version Not Supported

14
Try HTTP (Client Side) for Yourself

• 1. Telnet to your favorite Web server

telnet www.cse.ohio-state.edu/ 80
Opens TCP connection to port 80 (default HTTP
server port) at www.cse.ohio-state.edu. Anything
typed in sent to port 80 at www.cse.ohio-state.ed
u

• 2. Type in a GET HTTP request

By typing this in (hit carriage return twice),
you send this minimal (but complete) GET request
to HTTP server
GET /xuan/index.html HTTP/1.0
3. Look at response message sent by HTTP server!
15
Outline

• Web Basics
• Web Threats and Attacks
• Information Leakage
• Misleading Websites
• Malicious Code
• Countermeasures

16
Information Leakage

• Sensitive information can be leaked via Web
• All files accessible under a Web directory can be
  downloaded via GET requests
• Example 1
• http//www.website.com/secret.jpg publicly
  accessible
• http//www.website.com/index.html has no link to
  secret.jpg
• Attacker can still download secret.jpg via GET
  request!
• Example 2 searching online for proprietary
  confidential information

17
Misleading Websites

• Cybersquatters can register domain names similar
  to (trademarked) company, individual names
• Example http//www.google.com vs.
  http//gogle.com vs.
• Practice is illegal if done in bad faith
• Arbitration procedures available for name
  reassignment (ICANN)

18
XSS and CSRF

• Cross-site scripting (XSS) inject JavaScript
  from external source into insecure websites
• Example input ltscript typetext/javascriptgtlt!--
  evil code--gtlt/scriptgt
• Cross-site request forgery (CSRF) force victim
  browser to send request to external website ?
  performs task on browsers behalf
• Example force load ltimg srchttp//www.bigbank.c
  om/transferFunds.php?fromUsertoAttacker/gt

19
SQL Injection

• Common vulnerability (71 attacks/hour 18)
• Exploits Web apps that 17, 19
• Poorly validate user input for SQL string literal
  escape characters, e.g., '
• Example 19
• "SELECT FROM users WHERE name '" userName
  "'"
• If userName is set to ' or '1''1, the resulting
  SQL is SELECT FROM users WHERE name '' OR
  '1''1'
• This evaluates to SELECT FROM users ? displays
  all users

20
Malicious Shellcode

• Shellcode is non-self-contained binary executable
  code
• Distinct from malware that executes on its own
• Shellcode can only execute after injection into a
  running processs virtual address space
• Most shellcode written in Intel IA-32 assembly
  language (x86)
• When injected into JS code, shellcode executes
• Hijacks browser process
• Can totally control target process or system
• Shellcode attack vector for malicious code
  execution on target systems (e.g., Conficker
  worm)
• Usually, browser downloads JS code containing
  shellcode
• JS code executes, controls target process/system

21
A Toy Shellcode
mov ebx, 0 mov eax, 1 int 0x80

• Shellcode for exit() system call
• Store 0 into register ebx
• Store 1 into register eax
• Execute instruction int 0x80
• Assembled shellcode injected into JS code

Shellcode assembly
bb 00 00 00 00 b8 01 00 00 00 cd 80
Binary payloadinjection
...3caabb00000000b801000000cd80ad46...
JS code
more JS code
Disguised as normal data injected into target
processes address spaces compromises target
processes security
22
Outline

• Web Basics
• Web Threats and Attacks
• Countermeasures
• HTTPS
• Blacklist Filtering
• Malicious Code Detection

23
HTTPS (HTTP Secure)

• HTTPS uses cryptography with HTTP 8
• Alice, Bob have public, private keys public keys
  accessible via certificate authority (CA)
• Alice encrypts message with Bobs public key,
  signs message with her private key
• Bob decrypts message with his private key,
  verifies message using Alices public key
• Once they know each other, they can communicate
  via symmetric crypto keys
• HTTPS provides greater assurance than HTTP

24
TLS/SSL

• HTTPS uses Transport Layer Security (TLS), Secure
  Sockets Layer (SSL), for secure data transport
  8
• Data transmitted via client-server tunnel
• Much harder to compromise than HTTP
• Problems 8
• Relies on CA infrastructure integrity
• Users can make mistakes (blindly click OK)

Source 8
25
HTTPS Example

• User visits website via HTTPS, e.g.,
  https//gmail.com
• Browser sends TLS/SSL request, public key,
  message authentication code (MAC) to gmail.com
  gmail.com does likewise
• TLS/SSL encrypt entire connection HTTP layered
  atop it
• Both parties verify each others identity,
  generate symmetric key for following
  communications
• Browser retrieves public key certificate from
  gmail.com signed by certificate authority
  (Equifax)
• Certificate attests to sites identity
• If certificate is self-signed, browser shows
  warning
• Browser, gmail.com use symmetric key to
  encrypt/decrypt subsequent communications

26
Blacklist Filtering (1)

• Misleading websites Register domain names
  similar trademarks, e.g., www.google.com,
  gogle.com, etc.
• XSS
• Validate user input reject invalid input
• Blacklist offending IP addresses
• CSRF
• Use random token in web app forms
• If token is replayed, reject form (blacklist IP
  addresses)
• SQL injection
• Validate user input to databases, reject invalid
  input
• Blacklist IP addresses

27
Blacklist Filtering (2)

• Helpful browser extensions
• NoScript/NotScripts/ (stop XSS)
• AdBlock (can stop malicious scripts in ads)
• SSL Everywhere (force HTTPS)
• Google Safe Browsing
• etc.

28
Defending Against Shellcode

• Two main detection approaches
• Content Analysis
• Checks objects contents before using them
• Decodes content into instruction sequences,
  checks if malicious
• Hijack Prevention
• Focuses on preventing shellcode from being fully
  executed
• Randomly inserts special bytes into objects
  contents, raises exception if executed
• Can be thwarted using several short connected
  shellcodes

29
Content Analysis

• Two major types of content analysis
• Static Analysis
• Uses signatures, code patterns to check for
  malicious instructions
• Advantage Fast
• Disadvantages Incomplete can be thwarted by
  obfuscation techniques
• Dynamic Analysis
• Detects a malicious instruction sequence by
  emulating its execution
• Advantages Resistant to obfuscation more
  complete than static analysis
• Disadvantage Slower
• Focus on dynamic analysis (greater completeness)

30
Dynamic Analysis

• Approaches assume self-contained shellcodes
• Analyses shellcode emulation
• Inefficiently uses JS code execution environment
  information
• All memory reads/writes only go to emulated
  memory system
• Detection uses GetPC code
• Current dynamic analysis approaches can be
  fooled
• Shellcode using JS code execution environment
  info
• Shellcode using target process virtual memory
  info
• Shellcode not using GetPC code
• To detect all malicious shellcodes, we need a
  better approach

31
JSGuard (1)

• Our design rationale 20
• Use dynamic analysis to detect malicious JS
  objects
• Create a virtual execution environment for
  detection
• Leveraging (1) target processes virtual memory
  information (2) target systems context
  information in detection
• NOT a whole-system emulator
• Facilitate multiple-level redundancy reduction
• Stack frames check origins of JS code being
  interpreted
• Native methods check if native methods to be
  called originate from JS interpreter or external
  components
• Objects properties
• Assume JS interpreters (native) methods have no
  memory errors

32
JSGuard (2)

• Its hard to fool our method 20
• Shellcode can use JS code execution environment
  information to fool other dynamic analysis
  approaches
• Our design leverages systems context information
  
• Shellcode can use target processs virtual memory
  information to fool other dynamic analysis
  approaches
• Our design uses target processes virtual memory
  information
• Shellcode can avoid GetPC code to fool other
  dynamic analysis approaches
• Our method does not rely on GetPC code for
  detection. We leverage real virtual memory
  content to decode instructions and emulate their
  execution

33
JSGuard (3)

• JSGuard architecture shown in figure below 20
• We mainly check JSString objects for shellcode
  injection (hard to inject shellcode in other JS
  objects)
• Architecture runs in client-side applications
  address space (Firefox browser)
• JSString objects input to malicious JSString
  detector, which scans for shellcode using
  shellcode analyzer

Source 20
34
Summary

• Web based on plaintext HTTP protocol (stateless)
• Web security threats include information leakage,
  misleading websites, and malicious code
• Countermeasures include HTTPS, blacklist
  filtering mechanisms, and malicious code detection

35
References (1)

1. Go-Gulf.com, How People Spend Their Time
   Online, 2012, http//www.mindjumpers.com/blog/wp-
   content/uploads/2012/05/online-time.jpg2.gif
2. P. Irish, http//paulirish.com/lovesyou/new-browse
   r-logos
3. Twitter, Bootstrap, http//twitter.github.com/bo
   otstrap/
4. E. Benoist, HTTP Hypertext Transfer Protocol,
   2012, http//benoist.ch/WebSecurity/slides/http/s
   lidesHTTP.pdf
5. Electronic Frontier Foundation, Panopticlick,
   https//panopticlick.eff.org/
6. M. Zalewski, The Tangled Web A Guide to Securing
   Modern Web apps, No Starch Press, San Francisco,
   2012.
7. RFC 2616, https//www.rfc-editor.org/rfc/rfc2616.t
   xt
8. E. Benoist, HTTPS Secure HTTP, 2012,
   http//benoist.ch/WebSecurity/slides/https/slides
   HTTPS.pdf
9. E. Benoist, Cross Site Scripting XSS, 2012,
   http//benoist.ch/WebSecurity/slides/crossSiteScr
   ipting/slidesXSS.pdf
10. Wikipedia, Cross-site scripting, 2012,
    https//en.wikipedia.org/wiki/Cross-site_scripting
    
11. Wikipedia, Same origin policy, 2012,
    https//en.wikipedia.org/wiki/Same_origin_policy

36
References (2)

1. E. Benoist, Cross Site Request Forgery CSRF,
   2012, http//benoist.ch/WebSecurity/slides/csrf/s
   lidesCSRF.pdf
2. Wikipedia, Confused deputy problem, 2012,
   https//en.wikipedia.org/wiki/Confused_deputy_pro
   blem
3. Wikipedia, Cross-site Request Forgery, 2012,
   https//en.wikipedia.org/wiki/Cross-site_request_
   forgery
4. T. Wilson, Hacker Steals Data on 18M Auction
   Customers in South Korea, Dark Reading, 26 Feb.
   2008, http//www.darkreading.com/security/perimete
   r-security/211201111/
5. J. Grossman, Hacking Intranet Sites from the
   Outside, Black Hat, 2006, http//www.blackhat.com
   /presentations/bh-jp-06/BH-JP-06-Grossman.pdf
6. E. Benoist, Injection Flows, 2012,
   http//benoist.ch/WebSecurity/slides/injectionFlow
   s/slidesInjectionFlows.pdf
7. Imperva, SQL Injection By The Numbers, 20 Sep.
   2011, http//blog.imperva.com/2011/09/sql-injecti
   on-by-the-numbers.html
8. Wikipedia, SQL injection, 2012,
   https//en.wikipedia.org/wiki/Sql_injection
9. B. Gu, W. Zhang, X. Bai, A. C. Champion, F. Qin,
   and D. Xuan, JSGuard Shellcode Detection in
   JavaScript, Proc. SECURECOMM, 2012.
10. Open Web Application Security Project (OWASP),
    http//owasp.org

37
References (3)

1. G. T. Buehrer, B. W. Weide, and P. A. G.
   Sivilotti, Using Parse Tree Validation to
   Prevent SQL Injection Attacks, Proc. FSE/ESEC
   Intl. Workshop on Software Engineering and
   Middleware, 2005.
2. Wikipedia, HTTP Secure, https//en.wikipedia.org
   /wiki/Https